Recently, we have been doing quite a bit of protocol testing in the lab and this tool has proven itself again and again as invaluable. My favorite feature of the tool is available by highlighting some piece of data and right clicking to bring up a menu, then selecting “compare code pages”. This brings up a window in which the highlighted data is run through a bunch of encoding/decoding schemes and presented to you both as ASCII and as hex. This makes reversing simple encoding on text as easy pie and as quick as swatting a fly. In my recent protocol work, this was a feature I used over and over again to identify various components of the data stream and figure out how each was encoded as a part of a bigger puzzle.

Another feature we have come to love is the “Show Checksums” feature. This feature displays a wide variety of checksums for the data that is highlighted and updates the checksums in realtime. This makes it pretty easy to figure out if different fields are included in the protocol’s checksum activities and leads to faster, cleaner reversing. However, I do have a couple of things I would like to see as future features for this capability. For one, I would like to see additional checksum mechanisms added and perhaps even an interface for creating your checksum scripts or equations. Additionally, I would really like it if you could get realtime updates, but with a mechanism for selecting multiple data elements and not just single strings. I really thought this would work, but could not seem to selections to “stick” so that I could add multiples.

The real power of the tool is in the creation of the “grammar files”. This is an easy to use, intuitive and powerful mechanism for reversing. I still need to practice a bit more with the grammar definition mechanisms, but I can see where this will grow the product’s usefulness rapidly. The grammar definition could lend itself to a better toolbox in the GUI. It might be easier for beginners to learn to master this capability if an set of quick and easy tools were easily available without a bunch of menu navigation. However, the feature is still excellent and the tool remains a very powerful addition to our toolbox.

The link to the App Store has a variety of screenshots of the product if you want to check it out. The product retails for $25 in the App Store and a non-Pro version is available for $5 – however, note that it lacks many features of the Pro version that make it such a useful tool.

PS – MSI has no affiliation or relationship with the product and/or the developers.

I have recently been playing with Hopper, a disassembler for Mac OS X, quite a bit. The tool is essentially a mid-line tool for working to reverse engineer code. It is more accessible on the mac than firing up a VM and using the venerable OllyDbg and the interface is quite a bit more elegant and user friendly. It is even mid-line in price, coming in between Olly, which is free, and IDA Pro which can run over a thousand dollars per license. If you hack stuff, reverse stuff or study malware on the Mac, the $60 price point is likely to make this a big winner for your budget. The app store link for the tool, in case you want to check it out, is here.

In terms of use, the tool does exactly what you expect from the description – it disassembles binaries into assembler and makes exploration of the deeper nuances of the code accessible. The newest release supports ARM, 32 & 64 bit ELF and iOS Mach-O. These add to the existing support for the standard Intel platforms of Mac OS X and Windows binaries, making this an all around useful tool for doing the basics. The flow control graphing, colorized interface and intuitive controls make the tool use less complex than Olly and IDA Pro.

One of things I would like to see in future versions of the tool would be a detector for encoded binaries and support for some of the basic decoding tools to make analysis of obfuscated applications a bit quicker, easier and more intuitive. This a common issue among disassemblers and shows that we have a way to go to improve these products as the reverse engineering and malware study tool sets improve and mature over time. Overall though, that’s about the ONLY complaint I have about Hopper. It’s an amazingly versatile and useful tool at an incredible price. Truly, it is a worthwhile investment if you want to learn more about assembler, the inner workings of code and beginning malware analysis. You can’t go wrong with this one.

Lastly, I would like to thank the author of Hopper, Vincent Benony for his work on this tool and for his engagement with the infosec community on Twitter. Seriously, he is great. He responds quickly to questions and requests, plus provides great insights into where he is taking the product next.

PS – If you want to see what the GUI looks like, there are a wide variety of screenshots in the App Store at the link above.

PSS – MSI has no affiliation or relationship with the product and/or the developers.

Just a quick note on the recent Google announcement about dumping Windows for desktops in favor of Linux and Mac OS X. As you can see from the linked article, there is a lot of hype about this move in the press.

Unfortunately, dumping Windows as a risk reducer is just plain silly. It’s not which OS your users use, but how safely they use it. If a user is going to make the same “bad computing hygiene” choices, they are going to get p0wned, regardless of their OS. Malware, Trojans and a variety of attacks exist for most every, if not every, platform. Many similar brower-based attacks exist across Windows, Linux and OS X. These are the attack patterns of today, not the Slammer and Code Red worm attack patterns of days gone by.

I fail to see how changing OS will have any serious impact on organizational risk. Perhaps it will decrease, a very small amount, the costs associated with old-school spyware and worms, but this, in my opinion is likely to be a decreasing return. Over time, attackers are getting better at cross platform exploitation and users are likely to quickly feel a false sense of security from their OS choice and make even more bad decisions. Combine these, and then multiply the costs of additional support calls to the help desk as users get comfortable and have configuration issues in the enterprise, and it seems to me to be a losing gambit.

Time will tell, but I think this was a pretty silly move and one that should be studied carefully before being mirrored by other firms.

A new OS X Trojan has been spotted in the wild. The Trojan has been given the identifier “TheOSX/Hovdy-A”, and can perform somewhat advanced attacks against an infected machine. The Trojan takes advantage of a recent escalation exploit within applescript to gain root access to the machine. Once root, the Trojan can manipulate the firewall, steal passwords, and disable security settings. As OS X becomes more popular, we can expect to see more malicious software aimed it. Don’t assume that you’re safe just because you’re on a Mac, follow all of the precautions that your would with any other OS and practice safe surfing!

If you’re running an OS X version below 10.5.3 it is time to upgrade or install security update 2008-003.
This update fixes multiple issues that could result in system access, security bypass and privilege escalation, DoS, Cross Site scripting and a number of information exposure issues.

Apple has released an update to OS X 10.5. The update addresses a broad spectrum of issues which could allow for a range of compromises ranging from Denial of Service to illicit remote access to the execution of arbitrary code. Some of the specifically identified vulnerabilities include problems with URL handling in Mail and the Safari browser, a buffer overflow in Samba and unspecified problems in NFS. For full details please see Apple’s original advisory at:http://docs.info.apple.com/article.html?artnum=307430